diff --git a/ChangeLog.txt b/ChangeLog.txt
index 6a2466cb..696c25e4 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -15,6 +15,8 @@ Broker:
 Client library:
 - Support OpenSSL 1.1.0.
 - Fixed the C++ library not allowing SOCKS support to be used. Closes #198.
+- Fix memory leak when verifying a server certificate with a subjectAltName
+  section. Closes #237.
 
 Build:
 - Don't attempt to install docs when WITH_DOCS=no. Closes #184.
diff --git a/lib/tls_mosq.c b/lib/tls_mosq.c
index 7fd78a59..20f0d3ae 100644
--- a/lib/tls_mosq.c
+++ b/lib/tls_mosq.c
@@ -129,6 +129,7 @@ int _mosquitto_verify_certificate_hostname(X509 *cert, const char *hostname)
 			if(nval->type == GEN_DNS){
 				data = ASN1_STRING_data(nval->d.dNSName);
 				if(data && !mosquitto__cmp_hostname_wildcard((char *)data, hostname)){
+					sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
 					return 1;
 				}
 				have_san_dns = true;
@@ -136,20 +137,24 @@ int _mosquitto_verify_certificate_hostname(X509 *cert, const char *hostname)
 				data = ASN1_STRING_data(nval->d.iPAddress);
 				if(nval->d.iPAddress->length == 4 && ipv4_ok){
 					if(!memcmp(ipv4_addr, data, 4)){
+						sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
 						return 1;
 					}
 				}else if(nval->d.iPAddress->length == 16 && ipv6_ok){
 					if(!memcmp(ipv6_addr, data, 16)){
+						sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
 						return 1;
 					}
 				}
 			}
 		}
+		sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
 		if(have_san_dns){
 			/* Only check CN if subjectAltName DNS entry does not exist. */
 			return 0;
 		}
 	}
+
 	subj = X509_get_subject_name(cert);
 	if(X509_NAME_get_text_by_NID(subj, NID_commonName, name, sizeof(name)) > 0){
 		name[sizeof(name) - 1] = '\0';